From c3ade30ac1dd8f4b54928309570ab3513905e65a Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Fri, 30 Aug 2024 18:34:50 +0100 Subject: [PATCH 1/3] hw/m68k/mcf5208: Avoid shifting off end of integer In m5208_sys_read(), we have a loop of n from 0 to 31, and we calculate (2u << n). For the n == 31 iteration this will shift off the top of the unsigned 32 bit integer. This is harmless, because we're going to stop the loop with n == 31 anyway, but we can avoid the error by using 64-bit arithmetic here. (The SDCS0 register is documented at https://www.nxp.com/docs/en/reference-manual/MCF5208RM.pdf section 18.4.5; we want the lower 5 bits to indicate the RAM size, where 31 == 4GB, 30 == 2GB, and so on down. As it happens, the layout of the mcf5208evb board memory map means it doesn't make sense to have more than 1GB of RAM in any case.) Resolves: Coverity CID 1547727 Signed-off-by: Peter Maydell Reviewed-by: Thomas Huth Message-ID: <20240830173452.2086140-2-peter.maydell@linaro.org> Signed-off-by: Thomas Huth --- hw/m68k/mcf5208.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/m68k/mcf5208.c b/hw/m68k/mcf5208.c index ec14096aa4..0ad347dfa8 100644 --- a/hw/m68k/mcf5208.c +++ b/hw/m68k/mcf5208.c @@ -158,7 +158,7 @@ static uint64_t m5208_sys_read(void *opaque, hwaddr addr, { int n; for (n = 0; n < 32; n++) { - if (current_machine->ram_size < (2u << n)) { + if (current_machine->ram_size < (2ULL << n)) { break; } } From 175f5a5b48033579d4de5c904a9f43c0d327152e Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Fri, 30 Aug 2024 18:34:51 +0100 Subject: [PATCH 2/3] hw/m68k/mcf5208: Add URLs for datasheets The datasheets for the SoC and board we model here are still available from the NXP website; add their URLs and titles for future reference. Signed-off-by: Peter Maydell Reviewed-by: Thomas Huth Message-ID: <20240830173452.2086140-3-peter.maydell@linaro.org> Signed-off-by: Thomas Huth --- hw/m68k/mcf5208.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/m68k/mcf5208.c b/hw/m68k/mcf5208.c index 0ad347dfa8..b6677ad6bc 100644 --- a/hw/m68k/mcf5208.c +++ b/hw/m68k/mcf5208.c @@ -4,6 +4,14 @@ * Copyright (c) 2007 CodeSourcery. * * This code is licensed under the GPL + * + * This file models both the MCF5208 SoC, and the + * MCF5208EVB evaluation board. For details see + * + * "MCF5208 Reference Manual" + * https://www.nxp.com/docs/en/reference-manual/MCF5208RM.pdf + * "M5208EVB-RevB 32-bit Microcontroller User Manual" + * https://www.nxp.com/docs/en/reference-manual/M5208EVBUM.pdf */ #include "qemu/osdep.h" From df827aace663fdd9c432e2ff76fb13d20cbc0ca4 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Fri, 30 Aug 2024 18:34:52 +0100 Subject: [PATCH 3/3] hw/nubus/nubus-device: Range check 'slot' property The TYPE_NUBUS_DEVICE class lets the user specify the nubus slot using an int32 "slot" QOM property. Its realize method doesn't do any range checking on this value, which Coverity notices by way of the possibility that 'nd->slot * NUBUS_SUPER_SLOT_SIZE' might overflow the 32-bit arithmetic it is using. Constrain the slot value to be less than NUBUS_SLOT_NB (16). Resolves: Coverity CID 1464070 Signed-off-by: Peter Maydell Message-ID: <20240830173452.2086140-4-peter.maydell@linaro.org> Reviewed-by: Thomas Huth Reviewed-by: Mark Cave-Ayland Signed-off-by: Thomas Huth --- hw/nubus/nubus-device.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/nubus/nubus-device.c b/hw/nubus/nubus-device.c index be4cb24696..26fbcf29a2 100644 --- a/hw/nubus/nubus-device.c +++ b/hw/nubus/nubus-device.c @@ -35,6 +35,13 @@ static void nubus_device_realize(DeviceState *dev, Error **errp) uint8_t *rom_ptr; int ret; + if (nd->slot < 0 || nd->slot >= NUBUS_SLOT_NB) { + error_setg(errp, + "'slot' value %d out of range (must be between 0 and %d)", + nd->slot, NUBUS_SLOT_NB - 1); + return; + } + /* Super */ slot_offset = nd->slot * NUBUS_SUPER_SLOT_SIZE;